FTP server behind Net Firewall

[Didier]

Hi all,

I am evaluating Net Firewall. I have installed it on a windows 2000 server SP4.
I have configured it to work with TCS, Web, pop3, smtp, DNS and FTP.
I have installed too Net Firewall onto my workstation which run onto windows 2000 Pro and I have configured it for the same protocols.
All works fine except FTP.
I am using Bullet Pro FTP server 2.1.5 and LeechFTP.
On my server the rules are:
FTP Server 5 ENABLED TCP 83.112.0.0 – 83.112.255.255 Any Any 21 Any WAN
FTP Server 2 6 ENABLED TCP 83.112.0.0 – 83.112.255.255 Any Any 20 Any WAN
On my workstation the rules are:
FTP Server 5 ENABLED TCP Any Any Any 21 Any WAN
FTP Server 2 6 ENABLED TCP Any Any Any 20 Any WAN

Authentification is OK but the dir list return nothing.
In the logs of the 2 machines I can see traffic allowed for port 21, on the server I can see traffic port 20 allowed but nothing about port 20 on my workstation (blocked or allowed).

Have any idea about that?

Thanks for your help

[Vadim Smirnov]

I’m not sure but I think the problem is that LeechFTP uses passive FTP mode (bot connections are established by client).

In this case:

1) client sends command PASV to server.
2) server start listening newly allocated port and responses with command PORT with its number.
3) client connects to this port => data channel is established.

I would recommend you to try some other FTP clients to check this issue, an example integrated into Windows http://ftp.exe. If I remember fine then explorer and IE also uses passive mode by default, but http://ftp.exe does not.

[Didier]

Well I have tried http://ftp.exe with same result.
Connection and authentification OK, “dir” does not work.
The same FTP server product is installed onto our Production Server which is behind an hardware firewall and connection from my workstation with LeechFTP works fine.
My Development FTP server has the same configuration than the production server.

All my rules are on the “WAN Network Interface”.

Is there something wrong?

Thanks

[Didier]

I would like explain the configuration.

We have a windows 2000 server which is used like routeur between the building WAN and our LAN.
There are 2 network cards into the server.
Our LAN is used by 3 macintosh workstation and 2 printers.

So in NeT Firewall Management Console under “Network Interfaces” there are the 2 network cards + “Wan Network Interface”.
LAN card parameter : Low level
WAN card parameter : Third level
Wan Network Interface : High security

All rules are for any interface
When WAN card parameter is set to High security there is no access to (for example) the Web. That is like rules cannot be applied.

Thanks for your help,

Didier

[Vadim Smirnov]

When you set High Security level then only packets are passed only there is a corresponding allow rule exists. So there is no wonder that your packets were blocked.

If you server works as an Internet Gateway using 3rd Stealth Level for the external card would be enough, by default all outgoing connnections are allowed but all incoming packets are blocked unless they belong to one of the locally established connections. However, this mode is strict enough, so some complex protocols which use multiply streams may have problems with it. If you use any of them you’d better use Stealth Level 2 or even Stealth Level 1.

High Security level is the best mode for the stand alone server which provides some certain services, like HTTP, FTP, e-mail and etc..

[Author]

Posts